What do a $10 billion funding request for cybersecurity, a massive collection of 3.2 billion passwords hitting the web, and the godfather of threat detection have in common?
Among other things, they’re all featured in Episode 2 of our new SON OF A BREACH! podcast series, “Chuvakin be kidding me,” available now.
Tune in to hear host Randy Watkins, CRITICALSTART’s Chief Technology Officer, share his perspectives on recent news topics:
- President Biden’s cybersecurity funding request of $10 billion. “This is not a partisan issue, and this is also not a partisan podcast,” says Watkins. “I do think it’s interesting, though, that it was lumped into the COVID relief bill. What does cybersecurity have to do with COVID relief?” Watkins encourages listeners to ask their state representatives to introduce a standalone bill with funding for cybersecurity.
- The new normal of advanced persistent threats (APTs). “Given we’ve had two or three additional attacks since the initial discovery of the SolarWinds breach, it looks like APTs are becoming the new normal,” he says. “I’ve read a number of articles over the last couple of weeks that really emphasize the importance of not focusing on retaliation, but instead focusing on defense. I generally think that’s the correct approach.”
- The massive COMB (combination of multiple breaches) collection of 3.2 billion passwords hitting the web. Watkins points to the need for multi-factor authentication (“If there’s one thing we can depend on, it’s users reusing passwords”) and user education. He urges organizations to use this incident as an opportunity to bolster their own security practices, saying, “Let the users know you’re not just into it for the corporate security, but also the individual user security. Security starts at the user.”
Joining Watkins for this podcast episode is threat detection and security expert, Dr. Anton Chuvakin, who currently focuses on security solution strategy for Google Cloud.
For several years, Dr. Chuvakin covered security operations and detection and response topics at Gartner, where he was Research Vice President and Distinguished Analyst at Gartner’s Technical Professionals (GTP) Security and Risk Management Strategies team. He has authored several books and published dozens of papers on the topics of security information and event management (SIEM), log management, and Payment Card Industry Data Security Standard compliance.
Watch Out for These to Get the Most Value From SIEM
Some organizations falter with SIEM utilization, log management, and detection correlation, Dr. Chuvakin says, due to a variety of reasons.
“I have encountered more projects killed by mismatched expectations than anything else,” he says, adding that lack of headcount, talent, and sufficient resources to keep SIEM running, and lack of a use case approach have “sunk a fair number of projects, too.”
He also observes, “Lately, the frustrations of trying to make good insights, good security insights, out of bad data have kind of boiled over.”
Tips for Approaching SIEM and Detection Use Cases
Dr. Chuvakin recommends organizations step back and consider use cases before they actually implement SIEM in their environment.
“Start thinking, okay, what are my use cases?” he advises. “Am I buying for compliance? Reporting? Am I buying it to support my incident responders? If I’m detecting threats, what kind of threats? … What sort of data do I need to get?”
Instead of approaching SIEM as a huge detection project, Dr. Chuvakin suggests coming at it as “a sequence of use cases where you iterate, you learn, you implement simpler ones, and then you grow to others.”
Perspectives on Detection and Response Models
While at Gartner, Dr. Chuvakin coined the term “endpoint threat detection and response” to describe what was then a new family of tools designed to increase visibility by using endpoint data. From that came extended detection and response (XDR), which uses multiple data sources for even more visibility in detection and response.
Asked for his thoughts on XDR, Dr. Chuvakin says his perspective has evolved over the years. “My initial reaction a couple of years ago about XDR was kind of annoyance. But at the same time, it was invented at a competing analyst firm, so it’s sort of a normal reaction.”
He says he remains a SIEM fan, but the starting point for detection can be EDR as a viable alternative. “If you expand from that point, you become extended from EDR, and that’s XDR. So, to me, the XDR is a security threat detection monitoring model where the EDR leads, and then other things extend from that.”
Want to learn more about cybersecurity options for your organization? Contact us today.
Additional Resources:
